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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


x Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 Does the draft guidance contain the right level of detail? 


Yes 
X No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


On the whole the guidance adequately explains and advises on updated aspects of 
rights of access. However it is felt that the following sections require greater 
clarity: 


- Page 12: Only one type of attorney is referenced. If other types of attorney 
also have authority, would it be possible for this to be specifically stated. 
Furthermore, would be possible to provide some more specific guidance 
around the issue around power of attorneys. North Yorkshire County Council 
has previously been in communication around the issue of those who hold 
financial power of attorneys receiving health and social care information 
through a SAR despite not holding a health power of attorney. Whilst the 
ICO maintained the position of it being lawful to release the information 
further guidance was provided at that time. In particular, the ICO made it 
clear that it was a matter of discretion for the data controller and that if it 
was felt that the information released under SAR would be used to help 
make specific decisions about health then perhaps disclosure would not be 
appropriate. It would be helpful if this section could be updated to clarify the 
position. 


Page 13: In relation to children, and the considerations before responding, 
what used to be a two-stage test (with a logical “and”) is now two 
alternatives - with a logical “or”. Is that correct? If not please could this be 
clarified? Furthermore, the guidance states that parents can exercise a right 
to make a SAR on behalf of a child. Can the guidance make plain whether 
that means that one apparently made to further the parent’s interests would 


not be valid (e.g “I need the child’s data to go to court to increase my right 
of access”) 


Page 16: The detail around the clarification of when the time should start for 
responding to a request is helpful, however, further clarification is required. 
For example, there is a clear difference in receiving a request on 26" 
February compared to 26t" July. 


Page 18: Complex requests. It would be helpful to have some further 
guidance as to what this means in practice. For example, if an organisation 
has a number of specialist members of staff away from work who are 
required to the redacting, can there be an extension? 


Page 21/23: The guidance states that the clock will no longer stop when 
clarification is sought. This will be hugely problematic for many data 
controllers who quite often receive requests which are very difficult to 
determine without further explanation from the data subject. The 
communication with the data subject can sometimes take a long time 
meaning that even with an extension, the data controller’s ability to 
demonstrate compliance with timeframes will be severally affected. Would 
be possible to receive more specific guidance on this point, for example, 
what happens if a data subject does not respond? 


Page 25: Is it possible to clarify exactly what is meant by technical 
expertise. Also, what is mentioned about “deleted” data is at odds with the 
following paragraph regarding deleted emails. Further clarification would be 
helpful. 


Page 33: The list provided here is different to the one earlier on. It is also 
unclear what needs to be provided about the data subject’s own request. 
Further clarification would be helpful. 


Page 40: Some clarification around consent would be helpful. If you have 
taken no steps to gain consent does this mean you need to learn towards 
disclosure rather than refusal? If the individual has refused but without 
explanation does that lean towards disclosure rather than refusal. 
Meanwhile, can an employer really rely on consent from an employee? 


Page 67: A pupil’s data held by a teacher for his or own use is not part of an 
educational record. It is however accessible under SAR? Clarification would 
be helpful. 


Q3 Does the draft guidance contain enough examples? 


O Yes 
xX No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Page 15: More detailed example would be helpful here. 


Page 18: Any specialist work involved in redacting information or communicating it in 
an intelligible form - some clarification/details examples would be helpful 


Page 46: In general, this whole section would be a lot more helpful with more 
detailed examples provided that are applicable to a wide audience. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Public Sector: It is very usual for applicants to make repeated requests for information 
that is slightly different. For example, one requesting all records and then later for a 
specific referral document, then everything since last request whilst also putting in other 
requests such as for erasure etc. Some requests seem the same but are actually 
different. It has been difficult to determine whether these are excessive. The guidance 


has made it easier to determine this but more step by step examples would be very 
helpful. 


Law Enforcement: Due the lack of extension, it would be helpful to have some guidance 
around how this might work in practice. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O 0O X 0O 


Q6 Why have you given this score? 


The guidance is detailed and provides good explanation in many areas. At this stage 
however, there are numerous places where further detail/explanation is required to 
ensure that as data controllers, we truly understand the position that needs to be taken. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
CJ O O O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

O On behalf of an organisation 

X Other 


Please specify the name of your organisation: 


This is a joint response submitted by the North Yorkshire Information Governance 
Practitioners Group (formed as under the Multi-Agency Information Sharing 
Protocol). The NY IGP group is made up of practitioners representing local 
authorities, health bodies, emergency services, housing associations and other 


public sector organisations in the wider North Yorkshire area. 


www.northyorks.gov.uk/information-sharing 


What sector are you from: 


Public Sector 


Q10 How did you find out about this survey? 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


ER ER A A O N 10 a E 


Thank you for taking the time to complete the survey. 


